6 Why Should You Care About PCI First and foremost, it is a tool you can use to secure your business It promotes security awareness throughout the organization Fines can be hefty for non-compliance: AMEX non-filing fees: $50,000 non-compliance fee. Additional $150,000 if not compliant in 30 days. Additional $200,000 if 60 days past due. Termination of contract if more than 60 days plus previous fees. Fines and costs are even heavier for card-number breaches 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 6

7 Cost of a Data Breach Raising awareness for PCI Industry data helps Specific cost data that is personalized always prevails Use PCI as a mechanism to expose these costs to the business Data breach costs Average cost per breached record: US$204 (was US$138 in 2005) Average cost to a breached organization: US$6.75 million Legal costs up 56% from 2008 due to increase in successful class-action lawsuits and threat thereof Source: Annual Study: Cost of a Data Breach 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 7

12 PCI 2.0 Change Breakdown by Category 119 changes to provide clarification 15 changes for additional guidance 2 changes that are evolving requirements We will only touch on some of the main ones that we think have some significance 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 12

14 Virtualization Added to Scope System components also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. Requirement updated: Where virtualization technologies are in use, implement only one primary function per virtual system component Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 14

18 SAQ C-VT Added Applies only to merchants who manually enter a single transaction via a keyboard into an Internet-based virtual terminal solution provided by a 3rd party Computer is isolated in a single location, and is not connected to other systems within your environment (this can be achieved via a firewall or network segmentation) Greatly simplified and targeted audit requirements 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 18

21 How the Council Approaches Emerging Technology and Change Special Interest Groups (SIGs) Solicits outside studies like the PWC Study Technical Working Group (TWG) Individual brands release guidance or requirements Feedback/input from participating organizations Every single comment during the 1.2 comment period was reviewed! Anyone can submit a question to the Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 21

22 Point-to-Point Encryption Guidance Roadmap focused on encryption at the point-of-interaction (POI) terminal, not site to site (S2S) Roadmap conclusions Validation methods still immature Can simplify PCI; must meet testing validation Will not eliminate PCI; may reduce scope Independent validation of P2PE required Validation requirements guide to be released in Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 22

24 Tokenization Tokenization defined Shifts the risk to the financial institution POS: Still at risk Use cases for tokenization Not a silver bullet 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 24

25 Chip & Pin EMV defined EMV: face-to-face compared to online transactions Magstripe still accepted PAN not confidential EMV and PCI together Therefore, in securing the current face-to-face acceptance environment one should not consider it to be a case of either EMV or PCI DSS, but rather EMV and PCI DSS. Both are essential elements in the fight against fraud and data exposure. Together they provide the greatest level of security for cardholder data throughout the entire transaction process. PCI DSS Applicability in an EMV Environment: A Guidance Document Version 1, release date October 5, Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 25

26 PCI Design Best Practices How Cisco Can Help with PCI 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 26

27 PCI DSS 2.0 Scope Definition PCI security requirements apply to all system components. System components are defined as: Any network component, server, or application that is included in or connected to the cardholder data environment. Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Source PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 27

37 Cisco PCI Compliance Professional Services Penetration and Vulnerability Testing (Req. 11) Business Risk Analysis Technical Control Mapping Security Management Program Analysis Cisco Security Posture Assessment (SPA) Service performs penetration testing on the customer s network to determine gaps in the network, holes, and vulnerabilities that can be used to attack the system. This is a PCI requirement that must be performed regularly Cisco IT GRC Assessment Service addresses PCI (and other relevant regulations) to determine scope and risk to the business Analysis of the security controls in place and whether they meet the PCI requirements as designed and implemented Review of customer security management program and assessment against PCI standards and ISO (27001 and 38500) to identify areas for improvement 2010 Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 37

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or support@learnlive.com

PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management

PCI Compliance at The University of South Carolina Failure is not an option Rick Lambert PMP University of South Carolina ricklambert@sc.edu Payment Card Industry Data Security Standard (PCI DSS) Who Must

PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance

White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and

PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions

Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate

CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new

cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

PCI DSS 101 FOR CTOs AND BUSINESS EXECUTIVES CUTTING THROUGH THE COMPLEXITY AND CONFUSION Over the years, South African retailers have come under increased pressure to gain PCI DSS (Payment Card Industry

ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know

AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks

PCI Data Security Standards An Introduction to Bankcard Data Security Why should we worry? Since 2005, over 500 million customer records have been reported as lost or stolen 1 In 2010 alone, over 134 million

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe Agenda Who Is VendorSafe Technologies? It Won t Happen to Me! PCI DSS Overview The VendorSafe Solution Questions

INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release

CONTENTS OF THIS WHITE PAPER Overview... 1 Background... 1 Who Needs To Comply... 1 What Is Considered Sensitive Data... 2 What Are the Costs/Risks of Non-Compliance... 2 How Varonis Helps With PCI Compliance...

Payment Card Industry - Data Security Standard () Security Policy Version 1-0-0 3 rd February 2014 University of Leeds 2014 The intellectual property contained within this publication is the property of

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements

Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment